Tuesday, 24 November 2009

White House goes Open Source

The White House launched a new version of its website on 24th October. While little has changed on the surface, the underlying technology is now powered by the open source Drupal content management system.

White House hosting history
The www.whitehouse.gov site was previously served by Microsoft IIS 6.0, but the new server software identifies itself as "White House". The new site continues to use Akamai's content delivery network for caching.

White House server headers

Drupal is the 6th largest PHP-based content management system in Netcraft's Web Server Survey, being found on more than 400,000 websites. Drupal's security will no doubt be put to the test in the coming weeks, as the White House website has always stood as an obvious target for hackers. Drupal's security team has a full disclosure policy of announcing security problems after they have been fixed, rather than withholding the information from its users.
Drupal's core security advisories are made public at http://drupal.org/security. Eight advisories have been published so far this year, which have included two highly critical file inclusion flaws which could have allowed remote attackers to execute code on Windows servers.

One of the things that Open Source software needs is high profile visibility. It isn't until people see it working that they will consider using it themselves.
I don't think that corporations like Microsoft will ever lose the majority market, but I think that as open source starts to take hold they will most certainly have to adjust their pricing to be able to compete.
Microsoft have lost two UK councils now who have migrated to Open Office because of the cost savings. The French government now gives USB keys with Open Office and other open source software to students. AOL have open source on all PC's, The Guardian saved so much money migrating to Open Office in December 2008 that they had a party with an open bar.

An open bar for journalists!

How much money do you have to have saved to be able to comfortably do that?

Monday, 23 November 2009

Hardening Web Servers Against PathTraversal Attacks

What is Path Traversal?

Web servers generally are set up to restrict public access to a specific portion of the Web server’s file system, typically called the “Web document root” directory. This directory contains the files intended for public access and any scripts necessary to provide Web application functionality.
In a path traversal attack, an intruder manipulates a URL in such a way that the Web server executes or reveals the contents of a file anywhere on the server, including those lying outside the document root directory. Path traversal attacks take advantage of special-characters sequences in URL input parameters, cookies and HTTP request header.[1]
Real world examples of path traversal strings:
String examples
Path traversal issues can allow an intruder perform arbitrary code execution, stored XSS attacks or second order SQL injections. By simply uploading malicious code that later on is going to retrieved by a user, uploading a JavaScript file that later is going to be executed by another user or a piece of code that is going to execute an SQL query.

 Why Path Traversal happens

A path traversal attack happens because user controllable data is used by the application to access files and directories in the application server or other back end file systems.? A path traversal attack is possible in parts of the web application that legitimate file uploading takes place, but it also can happen in parts of the web application that there are dynamic execution issues.
In a search engine field for example:
$searchForData = $_GET[searchForData ];
Code example in PHP.
A very straightforward example of path traversal attacks using a RFI (Remote File Inclusion attack) vulnerability.Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this:[3]
include($page . ‘.php’);

This line of PHP code, is then used in URLs like the following example:

Because there is no filtering someone can upload malicious PHP code such as a webshell and embed his code to the current file.

Fixing the problem in Web Application

Multiple levels of security should be used to defeat the vulnerability. All Web Application functionality that is responsible for uploading the file (if that is necessary for some reason ) should take into consideration the following counter measures:
1. All user supplied data should be decoded and canonicalized and then check if the user supplied data contain any path traversal sequences such as ../, ..//,..\/, also this measure should filterout the all null characters e.g. ../../../../../../../../../../../../../../../../../../boot.ini.jpg .The “″ sequence is used both to bypass a simple file extension check and to cut off the extension when the file is read and processed by the CGI application.[1]
2. The Web Application should perform a while list filtering removing all non allowed characters or dropping immediately all user supplied data if they do not comply with the white list filter.
3. Use a Chroot environment can be used to create and host a separate virtualized copy of the operating system. in order to restrict the user from accessing the parts of file system that should not.
4. The malicious user trying to perform the path traversal attack has the same privileges with the Web Application process handling the whole interaction. Make sure the Web Application has only the needed privileges to perform it tasks.
5. All malicious activity should be logged, so as to have an understanding of what is attempted.
API used to defeat the path traversal issues:
1. In java is java.io.File object. Use the getCanonicalPath function.
2. In ASP .NET the System.Io.GetFullPath should be used.

Fixing the problem in IIS

The easiest way to tighten an IIS Web server against this and other attacks is to download and run the IISLockdown tool, free from http://download.microsoft.com. URLScan, which is installed when you run IISLockdown, blocks requests that contain unsafe characters. IISLockdown also disables the parent paths setting, which prevents the use of “..” in script and application calls. Finally, IIS Web administrators should check all Web permissions, which provide an extra layer of security to NTFS file permissions, and consider upgrading to IIS 6.0, which provides significantly enhanced default security over previous versions of IIS.[1]

Reference [1]: http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1134252,00.html
Reference [2]: http://en.wikipedia.org/wiki/Remote_File_Inclusion
Reference [3]: The Web Application Hackers Hand Book, Chapter 10 page 345.

SSL, not so secure?

While talking to Ross from Super Mondays last week we wandered onto SSL and he was quite surprised when I mentioned that it isn't quite as secure as everyone thinks.
Independent hacker Moxie Marlinspike has unveiled new techniques to defeat SSL encryption, which would leave common web applications such as online banking or secure website logins vulnerable to attack.
This would mean that the padlock icon in the corner of supposedly ‘safe’ websites and touted as optimal security by companies like security-with-verisign may not be as safe as people generally believe.
Marlinspike revealed his findings at the Black Hat Security conference in Washington DC, showing a number of ways where the “chain of trust” fell apart around SSL encryption.
He looked at the possibilities for new vectors of attack against HTTPS, the combination of HTTP and a network security protocol, which are often used for payment and sensitive corporate transactions.
Marlinspike also revealed a free software tool called “SSL Strip”, which could be deployed on a network and used for a man in the middle attack on all potential SSL connections.
It stripped away the SSL encryption, substituting a look-alike HTTPS site, while still convincing the user and website the security was in place.
Tools like Ettercap have been used for a long time against SSL but "SSL Strip" seems to be taking things to a much more advanced and dangerous level.
It seems that evermore personal awareness is going to be needed when logging into what we think are secure sites.

Saturday, 21 November 2009

New All Exploits Site


A great new service for anyone who is interested in security.
At last one huge database of exploits, explanations and codes. This site is a must in the bookmarks for anyone interested in security.

Tuesday, 10 November 2009

No point crying over spilled COFEE

In 2007 Microsoft released a tool called COFEE which is an acronym for Computer Online Forensic Evidence Extractor.
It was released to law enforcement agencies around the world and while COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers, you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics and 150 ‘commands’ that can, among other things, decrypt passwords, display internet activity, and uncover all data stored on the computer.  Most importantly, it can do this on-site, rather than an investigator needing to remove a machine during a search or raid and send it to a lab for analysis. It then writes a report and generally gives a quick and dirty analysis of the computer. It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that many hackers already have on their computers and could run manually any time they want.
COFEE is a good simple tool and a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.
In the last few days, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download. Which, of course, means that it’s now available on any number of bittorrent sites. The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild. Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.
The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.
It needs to be pointed out that is owned and jealously guarded by Microsoft. I won’t be surprised if they start going after people to get this removed from the Internet.
Now that the COFEE has been spilled into the tubes of the Internet, what are the moral and ethical responsibilities as security professionals, IT managers or personnel managers concerning the tool? This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference. While this is interesting, it’s nothing top secret or even that revolutionary, but it does impact on many privacy laws if it is used wrongly.
I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised.
Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools. There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it. For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased.
If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use. I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret.

Thursday, 5 November 2009

SSH Security issues on Jailbroken iPhones

Jailbreaking (http://www.theiphoneblog.com/iphone-jailbreak-unlock/) an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place. Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for many people to jailbreak a phone.
But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.” Apple locked down the iPhone in part to protect users from the bad guys out there, and if you’re in parts of central Europe with a jailbroken iPhone you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password. This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure. It goes on to give them a link and asks for 5 euros in order to secure the phone. This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this exploit could be used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.

Once you’ve taken the steps to jailbreak an iPhone you’ve relieved Apple of the security responsibility. It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device. So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone.

Tuesday, 3 November 2009

White Hat Hackers Already Testing Google Wave

The above screenshot shows an actual gadget inside a Wave that was created by White Hat Hacker Harmony.
Imagine the possibilities of connecting Facebook with Google Wave. You could post information to your Facebook profile right from within Wave, or connect wave participants to Facebook profiles. If you came across this gadget in a wave you were viewing, wouldn’t you love to at least try it out?
There’s just one problem. The above gadget is fake. Not the screenshot, mind you  Harmony has created the gadget but nothing will happen when you try to connect.
And in this case, truly nothing will happen, since the gadget is designed to be harmless, but I imagine many users would fall prey to such a trick, which could be easily adapted for phishing attacks.
Ask yourself honestly, would you have tried to login? More importantly, if you came across such a gadget in a wave, how would you know whether it came from me, a legitimate developer, facebook.com, or a malicious host?
I post all this to raise a broader point than simply “beware of phishing attacks.” The balance between security and usability is a constant struggle for developers.
Yet we all need to be concerned by the patterns we are training users to be accustomed to, remember most people now access Facebook from their place of work, this will in all probability also be the case with the future of Google Wave. (Above case in point: chromeless gadgets within a wave that provide no indication of source).
In some ways I almost feel that Google Wave is recreating the web browser. Browsers are applications that can load any sort of web page. Google Wave is an application that can load all sorts of web pages within waves. Yet many of the features developed for browsers to warn a user of insecure sites or phishing attacks (even as basic as the address bar, which shows the current domain) are not replicated when a user loads a gadget in Wave.
Many have described Wave as a reinvention of e-mail. Reinventing a technology can be very beneficial, but let’s not forget lessons learned in the old technology – there’s a reason most e-mail clients don’t allow iframes and JavaScript, for instance.
I’m certainly not the first to raise these concerns; others have previously mentioned the danger of login forms on iGoogle gadgets. Nor am I saying that I don’t want Google Wave to succeed. But if we’re going to reinvent a technology, let’s address some of these basic issues of user expectations, human nature and security precautions from the start.

Monday, 2 November 2009

Google wave as a hacking tool

Many security researchers are familiar with BeEF, a browser exploitation framework by Wade Alcorn. In short, BeEF is a program that brings together various types of code for taking advantage of known vulnerabilities in web browsers. If a target computer loads a certain bit of code within a web page, that code connects to a server control panel which can then execute certain attacks against the “zombie” machine.

After noting potential security issues with the gadgets in Google Wave, I set about to finally setup a BeEF testbed and see if Google Wave was as capable a platform for malware delivery as I suspected.

Example of a BeEF zombie spawned via Google Wave

The picture above shows the results. I successfully created a Google Wave gadget that creates a new BeEF zombie whenever someone views the wave. This does not allow for the keylogger function of BeEF, but I did send an alert dialog (as shown) and used the Chrome DoS function to crash the browser tab. (I could also detect that the zombie machine had Flash installed – imagine the possibilities of using Flash or PDF exploits in an auto-loaded gadget.)

What’s even more disconcerting is that BeEF can integrate with Metasploit to potentially take over a victim’s machine. I do not currently have Metasploit setup to test using Autopwn, but based on my experiences so far, I’m fairly confident such an attack would succeed.

All of these demonstrations about security and Google Wave point to four general weaknesses in Wave’s current structure:

1. Allowing scripts and iframes in gadgets with no limits apart from sandboxing
2. Lack of control over what content or users can be added to a wave
3. No simple mechanism for verifying gadget sources or features
4. Automatically loading gadgets when a wave is viewed

Any one of these issues would be cause for concern, but taken together they present such alarming possibilities as a user getting their computer hacked simply by viewing a wave. Whatever may be said about Google Wave’s usefulness, I have to conclude that the product is not ready for prime time until these types of problems are addressed.

Cloud Computing - The Business Dilemma

While attending an IT event last week a discussion was started about Cloud computing and why the take up from business seems to be slower than those involved in technology would like.

Cloud has a lot in its favour, it is immeasurably scalable, it is phenomenally cost effective and it is 'green' for the bearded environmentalists. So with everyone in the land of digital talking about cloud why is it such a hard sell?
The answer is that no-one who actually spends money (as in accountants and FD's) knows what it really is. You have to look at cloud from a historical perspective and there isn't very much history to look at.
It was in the early months of 2000 just as the world realised that no computers were going to crash with the millennium bug that Microsoft started to introduce the concept of Software as a Service through the development of what was then called Web Services.

Amazon who were an early adopter of web services decided to modernise their data centres and by 2005 they were providing access through a product gateway called Amazon Web Services. The web services offering was not developed further until 2007 when Google, IBM and a number of Universities embarked on a large scale project which envisioned and created the first cloud computing service.
That year was 2007, that's only two years ago, and that is an important point and the first reason why there are not a lot of companies examining the possibility of a cloud roll out just yet.

The second reason is that once again technical innovators have approached the problem from a techie point of view. Cloud is a lovely thing for those who like to admire the sheen on their new 42u rack or that talk to their friends about the new switch in the cabinet. But for a businessman who has business issues to deal with a shiny cabinet and decent throughput is not his primary concern.
A CEO of a large corporate is more likely to worry about legal issues regarding data than how cheaply you can keep it or how much more of it you can store for half the price. Yes, financial issues are considered, but go to any purchase manager and you will find that the cheapest option or the newest option is not often the one that is purchased.
Cloud computing gives CEO's more headaches than a gaggle of trade union officers (if that isn't the collective perhaps it should be).
Cloud deals with none of the legal issues regarding data storage and can't answer any of the business continuity or technology security questions that are being asked. For example, regulatory compliance in the UK states that an organisation is responsible for the security of its data even when it is being held by a third party provider. It also states that data can't be moved from the country, which doesn't help if your cloud supplier stores it in the USA. That then gives us the problem of the Patriot act that means the USA can view your data, and copy it, and not even tell you they have done that. Data in a cloud is in a shared environment, that means that data segregation is an issue. Encryption is effective but doesn't supply a total solution, and encryption accidents have been known to make data completely unusable.

Another Cloud turn off is the marketing hype, and if there is anything most likely to scare of a potential client it is seeing the marketeers trying hard to sell something. Everyone in business knows that when there is something good they will hear about it through channels they can trust, that's why they all drive BMW's or Mercedes and carry Macbooks. A buying decision takes more than hype and a good marketing slogan. I know many board members who hate with a passion the phrase 110% so to see cloud advertised as "110% up time" just makes them think that someone doesn't get the concept of percentages. It takes time and it takes answers to questions. Cloud doesn't have either of these on it's side yet.

Finally there is the real security issue. Hackers have not yet learned how to reliably and invisibly place a virtual machine into a cloud. They can place it, they just can't hide it yet. When that happens everything on the cloud will be accessible. 
New scanning tools are being written now to search out information in the cloud. Information at rest and in transit. A virtual machine within the cloud will be free to monitor data as it passes through hubs, switches, mail servers in fact anywhere and the amount of damage that could be done before a fix is made could be catastrophic to multiple organisations on levels that we have never previously seen.

The history of technology shows that there have been casualties when there have been early adopters. Yes, there have been great successes but if you talk about getting in first people still remember Boo, Flooz and pets.com, they also remember the more recent problems that beset early adopters of the iPhone. 
Under those circumstances to approach an organisation about taking a paradigm shift in it's technology delivery based on something that was created two years ago and that can't just yet make any promises that you wont go to jail may be expecting just a little to much.